Information Security Policy

Effective Date: 15th November 2024

1. Introduction

WorkPermitCloud Limited (`WPC`) is committed to ensuring the security, integrity, and confidentiality of personal data processed by our website https://www.righttoworkcheck.co.uk and mobile applications (`WPC Employer` and `WPC Candidate`), collectively referred to as the `Services`. This Information Security Policy outlines the procedures and mechanisms in place to protect sensitive personal data, ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable UK data protection laws.

2. Scope

This policy applies to all data processed by WPC in connection with Right to Work checks, including:

• Employer Data: Organisation name, job position, employer email, candidate name, candidate email, candidate phone number, job type, and work hours.
• Candidate Data: Passport, Birth Certificate, Biometric Residence Permit (BRP), Certificate of Sponsorship (COS), Asylum Registration Card (ARC), and other personal data required for completing Right to Work checks.

WPC stores all data on the AWS Cloud platform, utilizing encryption and security measures to ensure the integrity and confidentiality of all personal data processed.

3. Data Protection Principles

• Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and transparently.
• Purpose Limitation: Personal data is collected for specific, legitimate purposes, such as fulfilling Right to Work checks as per the UK Home Office’s guidance.
• Data Minimisation: Only data necessary to complete the Right to Work process is collected and retained.
• Accuracy: WPC ensures personal data is accurate and up to date.
• Storage Limitation: Data is retained only as long as required by law, after which it is securely deleted.
• Integrity and Confidentiality: WPC secures personal data to prevent unauthorized access, loss, or destruction.

4. Data Security Measures

WPC employs industry-standard measures to protect personal data:

• Encryption: All personal data is encrypted both in transit and at rest using robust protocols.
• Access Controls: Access is restricted to authorized personnel only, using multi-factor authentication (MFA) and role-based access controls (RBAC).
• Regular Security Audits: WPC conducts regular audits to identify and mitigate potential vulnerabilities.
• Third-Party Security: WPC ensures third-party providers comply with GDPR and rigorous security standards.

5. Cloud Security

• Data is stored on Amazon Web Services (AWS), compliant with ISO 27001 and GDPR standards.
• AWS provides encryption, Virtual Private Clouds (VPCs), firewalls, and continuous monitoring for security.

6. Incident Response and Breach Notification

In the event of a data breach, WPC will investigate, mitigate, and notify affected parties and regulatory bodies as required under GDPR. Measures will be implemented to prevent future incidents.

7. Employee Awareness and Training

WPC employees receive regular training on GDPR, secure data handling, and information security best practices to ensure compliance.

8. Two-Factor Authentication (2FA)

WPC uses 2FA to enhance access control, requiring an additional verification layer for user authentication.

9. eVisa OTP Security

WPC ensures secure transmission and storage of eVisa OTPs and share codes. Access is limited to authorized personnel for right-to-work verification purposes.

10. Indemnity and Limitation of Liability

WPC shall be indemnified to the fullest extent permitted by law from third-party claims related to non-compliance with information security policies or data misuse.

11. Review and Updates

This policy will be reviewed annually or upon significant regulatory or operational changes. Updates will be communicated to stakeholders, and continued use of WPC services constitutes acceptance.

12. Contact Information

For inquiries or concerns regarding this policy, please contact us at: rtwcheck@workpermitcloud.co.uk.

Registered Office: The Gherkin, Level 28, 30 St. Mary Axe, London, England, EC3A 8BF.

Disclaimer

This app is not affiliated with, endorsed by, or authorized by any government entity. Services are based on publicly available information and regulatory guidelines.